Internal cybersecurity audits rarely make it to the public domain, but when they do it’s often an eye-popping read.
Take the Western Australian (WA) Auditor General’s 2017 recent report on the state of user account security in an Aussie state which tends a mammoth 234,000 Active Directory (AD) accounts across 17 state agencies …

COMMENTS

As one of the few gatekeepers to having passwords stored in the password manager in the office, I need to tell people (the developers usually being the only people who don't need telling) that <company name>123 is not a good password and I won't accept it about 50% of the time.

Starting to consider sending these usernames and passwords to the whole company to force them to change it given that the password would then become public knowledge. Bad stuff would probably happen though.

Re: Over Your Head

EXACTLY! The real problem is if it's the senior management who isn't following the procedure. You can't force them and executives to do anything because they're over your head (unless you're an executive yourself). Any attempt will be met with a "Who hired this clown?"

Re: Over Your Head

And when you realise a company and its management are like that you go into record mode. Record everything you do and everything you warn them about, via e-mail. Then take backups of said recordings. So when the shit hits the fan you can prove it wasn't your fault and you gave them plenty of warnings. As I guarantee they'll try and blame you if they think they can.

Not that I'm taking advise from him as I've known this for years, but, and ignore political views, Michael Cohen comes to mind. He appeared to love Trump (he was clearly just kissing arse to get what he wanted) but even he was wise enough to record sessions he'd have with Trump (is that actually confirmed as fact yet?), I assume for his own protection in case he ever got screwed over by said person.

Re: Over Your Head

"Users should be following the policy, and the policy should have the backing of senior management."

The only thing that would ensure such backing, short of a massive breach costing money for compensations and fines along with a loss of reputation, would be board level insistence. That insistence would need to be backed up with loss of bonuses and/or promotion as appropriate in the face of an audit report such as this.

Re: Over Your Head

Re: Over Your Head

As a sysadmin you don't need to make users care. Users should be following the policy, and the policy should have the backing of senior management. Anything else is doomed to failure.

And the policy should be sane. The danger is that some paranoid IT dweeb comes up with rules so arcane and so irritating to users that the begin to take a perverse delight in thwarting them. The toughest policy in the world is no good if it leads to passwords on post-it notes by screens.

Re: Over Your Head

Tie it to fiscal carrots and sticks. For the hoi polloi, they get a bonus day's wages if they use a password that a determined attempt by IT to crack [using any methods short of rubber-hose cryptography] is insufficient to the task.

For executives, make receipt of *any* bonuses contingent on same.

And for IT, the bonuses kick in when the company's passwords are safe.

Re: Over Your Head

"For executives, make receipt of *any* bonuses contingent on same."

Chicken-and-egg question: How do you enforce rules on executives when it's the executives who make the rules...and often are the ones who demand exceptions or replace the IT people with those who will? And note, this is not as rare as you think.

Easy, you know what is logged and what is not, so log in as the person (not from your own pc), send the person a lot of pornsite URL's (both strait/gay/lesbian/shemale) from his/her own mail account, remove the mails from the "sent" folder.

When the person reports this, tell them (after some time) that it looks like someone have hacked their mail account. That should teach the person to take security a bit more serious.

A few years ago I moved a very profitable company with poor IT from POP3/SMTP email with passwords that never changed to Office 365 with proper password policies. Within 2 months I was forced to set the CEO's password to something without the required complexity that would never expire because he couldn't handle picking a new password every 30 days and then remembering it for more than 5 minutes. This for a user that had an online banking security dongle permanently attached to his PC and who would have fallen for one of those "your friend is stranded in a foreign country with no money" scam emails if I hadn't told him to call said friend.

Sometimes it doesn't matter if IT try to do the right thing, the suits overrule us.

All that's going to happen with a 30 day password policy is people will cycle the number on the end of the password and you'll get everyone swearing under their breath as each piece of software forces them to re-enter the password.

Many years ago I worked for a managed services provider that had a contract with a major US bank. We provided support for the entire half of the state.

Their corporate IT folks had a very strict password policy. They required a password change every 30 days, unique passwords, and over 10 characters. What this did however, is to create an environment where no one could remember their passwords. So, on EVERY monitor there was a yellow sticky note with the last few passwords crossed-out, and the current one at the bottom of the list. Even the director for the whole state had the sticky note.

Their corporate IT folks had a very strict password policy. They required a password change every 30 days, unique passwords, and over 10 characters. What this did however, is to create an environment where no one could remember their passwords.

I know an Oxford college which decided to boost security by having a different 4-digit access code for every door into the buildings, instead of one for all doors as previously. This meant that an average student needed to know codes for their staircase, both their tutors' staircases, the common room, the laundry, the library and as many staircases as they had friends on. The result was inevitable: within two days every lock had its code written beside it, usually in something indelible. They went back to one-code-for-all after three days.

I still think that capital letters and special characters are more trouble then they're worth. I haven't trawled through any big password dump files, but I'd be willing to bet that the majority of number/special character requirements are fulfilled by adding a 1 and/or ! to the end of a "normal" or easily guessable password and that capital letter requirements are fulfilled by capitalizing the first letter of same.

But consider: an 8 character password with all four character types in play - lower case letter, upper case letter, number, special character - has 72^8 possible passwords (give or take, ignoring any disallowed special characters); somewhere in the region of 7.2E14. If we remove the requirement for upper case and special characters, the number of symbols drops to 36 but we can maintain the same keyspace size within an order of magnitude by adding one additional character and even quintuple it by adding two (1E14 for nine characters and 3.7E15 for 10). If we allow lower case letters alone, the keyspace is still 1.4E14 with 10 characters. What's more challenging for the user: remembering what special character/capital letter/random numeral they jammed into their password, or remembering one or two more characters?

> I still think that capital letters and special characters are more trouble then they're worth. I haven't trawled through any big password dump files, but I'd be willing to bet that the majority of number/special character requirements are fulfilled by adding a 1 and/or ! to the end of a "normal" or easily guessable password

So much true that hashcat even does this (and a=>@, l=>!, s=>5 style substitutions) and their permutations.

At the end of the day, size matters. A 12 character password consisting solely of lower case a-z has more entropy than an 8 character password consisting of any character (upper and lower), symbol, digit and whitespace.

Those in a position to influence password system design should consider flat out blacklisting terrible passwords. I'd personally consider integrating with pwnd passwords either directly or by just downloading the list and rolling your own.

I had a go a few years ago. Any new password was first run through this:

https://www.systutorials.com/docs/linux/man/1-pwqcheck/

which recognises that a long password of only two character types is as strong as a short password of four character types. (I didn't use the defaults, FWIW).

After that I ran it through a dictionary checker against a common password list, and a standard word list. If the last (up to) four characters were digits they were stripped before this test. And leet-speak variations were also tested, e.g p455w0rd would fail.

And people *still* managed to come up with piss-poor passwords.

I would like to have gone full john the ripper on it but I wasn't going to be able to sell that one to the customer.

We have to use a 8 character local admin password that looks like it's been typed by someone headbutting a keyboard. Which also changes on a regular basis..... So we poor contractors have to write it down....

I have suggested about changing it to something like <InsertAdminName>isacompletenobhead as it will be easier to remember and using your maths - be more secure?

exponential vs polynomial complexity

“An 8 character password with <72 characters> has 72^8 possible passwords 7.2E14. <Even with only lower case> we can maintain the same keyspace size … by adding one additional character. If we allow lower case letters alone, the keyspace is still 1.4E14”

Exactly! Password complexity is polynomial in the size of the character set and exponential in its length. Given C characters for a password of length M there are C^M possibilities which increases much faster with M than it does with C: exponential vs polynomial.

Longer passwords can be easier to remember and to type: “my idiot sister has two brats” or even “My idiot sister has 2 brats!” (using stupid special-character rules) vs “T%7<a&K*” with only 8 characters. Character limits on passwords are insecure via both complexity and post-it notes.

Why special characters? We all know computers run on just 0 and 1. enough of those and... it's remembering them that's a pain.

Especially when one user at work needs up to six passwords. Changed on different days, if at all.

My system - 6 letters, one capital; two numerals; no vowels. Special character? Exclamation mark, you creep. Just because a smiling brown pile isn't on my keyboard... I never used APL. Wait, a black heart, that'll do. ...Apparently you're a character that The Register doesn't support, and neither do I.

XKCD example doesn't work for me.

I can't remember the example

Over the last four or five years https://xkcd.com/936/ has been quoted in these forums three or four times most years. Each time I've tried to remember the example password, but can't. Horse and Staple I can remember, was another of the words Door... No and what order are they?

I know if I had to use the password more often I might remember it but there are quite of few passwords I only need to use three or four times a year!

One password I use about monthly is something like sH68*452aX2 I can just about remember that. Some peoples brains seem to wired differently and can remember different things easier than other people.

I write them down physically but in an obfuscated way and don't carry the copy around.

My recommendation to friends and family is to use as a complex a password system as they find challenging but manageable.

Having throw away passwords for sites you don't worry about, but not 123456.

Re: XKCD example doesn't work for me.

Re: XKCD example doesn't work for me.

Another good idea is to use a series for your passwords, for example: animals, boys names, vehicles of whatever denomination you fancy etc... Do a bit of number substitution in a non standard sort of way and add in some specials and if you really want to confuse people then you mis-spell the original word to make it easier for you to remember with the substitutions - this way you can fairly easily be over the 8 characters and it's not difficult to remember, and it's also not too bad to remember the previous ones either. An example of this I once used when I had the dinosaur series was the name quasisaurus (nope, don't think there was ever a dinosaur called that but it translated as Qu45!Sauru$). I'm not saying this is perfect or that it'll work for everyone but it's a start.

Re: XKCD example doesn't work for me.

My preference is for private, family, invented words. As in what your kid called the fridge when he/she was 3 and couldn't pronounce fridge. (something like fwidjerer). Maybe a pair of words to be on the safe side. Just not obvious ones that every three year old seems to say. And any extra obfuscation you can add for length, and remember ( like a three because she was 3 when she said it).

All goes to show that a system of authentication by password alone is not fit for purpose and something better is needed.

My own passwords (I have many dozens of different ones) is based on a formula which takes some context from the environment it is meant for and by applying the formula to that context comes up with a unique string. It means I don't have to remember the dozens of passwords, just one formula.

If I use a login rarely I just make up some crap and forget it, then go through the recovery process every time I need it.

I don't know why this continues to be considered good practice in the industry. Because it's NOT. All's this does is encourage writing down the password on a post-it and then putting it on the bottom of one's keyboard.

Forcing someone to remember a new password every 30 days is ridiculous - In this age of smart phones, most (99%) people can't even remember a new phone number every 30 days.

And why 30 days? Why not every day, why not every year, why not every 5 years? Where's the proof that this does anything to improve overall security?

This policy actually results in less actual security - find a better way, this one has got to go.

Nor is it difficult to teach (even CEOs!) methods for creating strong but memorable passwords. No, not correcthorse(...) but using the initial letters of a phrase, or using the strong stub + domain-based suffix method.

"This for a user that had an online banking security dongle permanently attached to his PC"

Perhaps you robbing him might have taught him something? Sounds like he was too thick to notice and he would have blown that money on CEO rubbish like coke, private jets and a dominatrix anyway. CEOs cannot really be victims like real people (class war, fight the power, stick it to the man, eat the rich, etc).

Had a new C level manager who complained that he didn't like having to reset his password every 90 days. My suggestion was that if he didn't do it (j.e. asked to be an exception) he was in breach of IT policy and leaving the business more open to attack. He then said he preferred to just use the one password. He elaborated on his theme for his passwords. The theme he confided was sports based so I logged in as him using his password. You should have seen the look on his face at that point. He'd used his football team plus a number as a password. I had guessed that he'd used the year his football club was founded at the end. He said "in this one instance" I could treat him like a child and explain how I'd done that. I pointed out his love for Arsenal was well known and I had guessed the year might be the suffix. A talk then followed on social engineering given he mentioned he supported Arsenal in interviews he gave to people. Nice guy and grasped the concepts I was talking about very quickly. He agreed that he did need to change his password more often.

The fault was not his. The fault was having a password policy which could be fully complied with in a way which left his password easily guessable

Well the password guidelines stated that you weren't supposed to pick something easy to guess. He judt didn't think that his password was easy to guess. This was also a fair few years ago when an 11 digit password was supposedly harder to crack.After 5 attempts it would have locked the account anyway.

"...proper password policies. Within 2 months I was forced to set the CEO's password to something without the required complexity that would never expire because he couldn't handle picking a new password every 30 days"

Forcing password change every 30 days is not a good password policy. It just encourages use of weak passwords.

While I'm at it... forcing use of special characters is also not a good idea, especially for any company working in an international environment where different locale's keyboards have different subsets of special characters almost always mapped to different keys that can cause all sorts of trouble. Upper + lower case + numbers give 62 options*, which if combined with min password length of say 12 characters is much more secure than 8-character password that has special characters.

"This for a user that... "

Of course as usual the weak link is the idiot user. It's effin unbelievable that as an IT user in financial services I have to go to a bunch of courses about "Know Your Client", anti-money laundering, anti-corruption policies etc (almost all of which I will NEVER encounter / need at work), while there is no course on security including password policies that is compulsory for all users (including business users who would not know this stuff AND who WILL need to use this every day)

Keep an on that account. That will be targeted I bet. And if it doesn't have 2FA on, someone, at some point will get into it and set a redirect on his mailbox. I've seen that done before and it not be noticed for months unless you're looking for it.

30 days seems pretty excessive, I believe this probably encourages bad passwords (for example just incrementing an integer). Another consideration, perhaps it's better to get fired insisting people stick to good password practice than to be an employee of a company that has a gigantic data breach due to incompetence - because this will be seen as reflecting poorly on the people in IT, not only executive who might be at fault. I would at least keep evidence of that.

How do you know they've got rubbish passwords ? Do you store them unencrypted, or capture them at the point of entry ? If so, I don't think the password quality is the biggest security problem.

Perhaps you try a dictionary attack against them - but that's only likely to get the ones you already know to be common, like 'password'. It's not going to catch 'password<random number> for any but a handful of not-very-random numbers.

It's my understanding that they're stored hashed, with the same password resulting in the same hash. So one you know that value XYZ123 corresponds to "password123" you can go searching for accounts with an associated hash value of XYZ123 and know that they all have the password "password 123".

Some systems would combine it with usernames or other predictable data (e.g. fob number or something similar) so they don't all have the same hash but it can be determined by hashing $fobnumber+ $username + "password123" (and a bunch of other passwords) and comparing them result against the stored hash.

Takes more time but it's something easily automated!

If someone is actually cracking passwords or intercepting them, there's a problem.

If only that were true, password reuse wouldn’t be such a problem (phishing attacks aside). The trouble is, there is no way of knowing how your passwords are going to be stored and time and again large companies that should absolutely know better have demonstrated they cannot be trusted to implement such basic safeguards.

Sure, but that assumes you have hashes for all the passwords you want to check. It will work for stupidly obvious ones like 'password' but not for a large enough set to be useful. Which is why password crackers start with a dictionary and modify it in increasingly complex ways.

I'm kind of puzzled by the downvotes actually. People are welcome to their opinion, but I didn't expect to get such a consistent level of disapproval for basically asserting that passwords shouldn't be stored in an accessible form.

"How do you know they've got rubbish passwords ? Do you store them unencrypted, or capture them at the point of entry ? If so, I don't think the password quality is the biggest security problem."

You don't store them unencrypted, of course. But you know the encrypted hash of the most common crap passwords and so can detect and reject these. It's also possible to detect password strength at point of entry and approve / reject it. That's not a security problem at all.

"How do you know they've got rubbish passwords ? Do you store them unencrypted, or capture them at the point of entry ? If so, I don't think the password quality is the biggest security problem."

If it's your database and you know the hash used and any salts, you can just build your own rainbow table.

You could also log what proportion of password changes are knocked back as policy non-compliant and required to pick something else because the user has tried to pick a weak password.

Many organisations are now polling the HaveIBeenPwned API when users change their password and prevent them using anything in the HIBP database (this uses a k-Anonymity model so you're never sending passwords or complete hashes over the internet). You could log hits the same as people trying policy non-compliant passwords to give you an overview of what proportion of users are trying to use crappy passwords.

iPerhaps you try a dictionary attack against them - but that's only likely to get the ones you already know to be common, like 'password'. It's not going to catch 'password<random number> for any but a handful of not-very-random numbers.

There are dozens of tools designed for password database cracking. Many have various intelligent levels of hybrid-attack, so it'll start with a dictionary, but then enumerate the dictionary attack with a 1 on the end, then a 2, try the usual 133t substitutions, etc. Faster than a brute force and unfortunately highly likely to get a strike for anything less than a passphrase (multiple words) or a random string from a password manager. Words plus numbers or substitutions tend to follow patterns and the tools know what those patterns are.

Perhaps you try a dictionary attack against them - but that's only likely to get the ones you already know to be common, like 'password'. It's not going to catch 'password<random number> for any but a handful of not-very-random numbers.

If you have the (encrypted) password database (which you would, if you're doing an official security audit), you'd be surprised at how little time it takes to brute-force a dictionary attack, along with all variants (replacing 1 with !, s with $, vAriAtiON in case, etc. etc.), especially if the passwords aren't salted, and you can do a rainbow attack (hash all the variations up front, and just compare to the hashes in the password database). Once you've got all the passwords that are based on words in the dictionary, you can then start working on the remainder by checking all 8 character passwords, then all 9 character ones, etc. etc. No password is uncrackable, given enough time and computing power, which is why you have policies to regularly change them.

The thing that protects you from a dictionary attack in a production environment is the increasing delay and lockout after 'n' wrong guesses that is built into the login system. These are moot if you can just access the database with the password hashes in (or, in this case, an old copy of it in an easily accessible location), and side-step the authentication gateway.

At a job that will remain nameless to protect the stupid...

I was one of the IT monkies as an intern. The boss kept having trouble remembering his password, using the reset password link, flubbing the reset process, then calling up IT to fix things.

One day he calls up & demands it be reset, coworker does so & says "I've changed it temporarily to your first name. Log in & change it immediately." Boss hangs up, coworker starts to, & boss calls back so fast it rang as soon as the handset touched the cradle. Boss thunders "It doesn't bloody work!" Coworker & I trade confused looks. Coworker asks incredulously "You can't remember how to spell your first name?" Boss is so loud I can hear him from the next desk over. "Of COURSE I can you bloody fool! It's Y O U R F I R S T N A M E. Now fix the bloody thing!" Coworker & I just stared at the phone in disbelief.

"As one of the few gatekeepers to having passwords stored in the password manager in the office, I need to tell people that <company name>123 is not a good password and I won't accept it about 50% of the time."

Re: Obligatory Dilbert

Re: Obligatory Dilbert user ID

I moved and got a new GP as a result of this. I spotted on my first prescription from the new one that GP ID codes are last name then their first initial. I had a GP who suffered from their code when read outloud sounding like slang for a particular genital. It was a bit unfortunate that.

Dictionaries

One would think that dictionary checks upon creation of password should now be mandatory, and might as well make it the top, say 30, languages used in the country, or maybe the top 200 languages in the World.

Re: Dictionaries

Re: Dictionaries

How about running a few password crackers against the login and disabling any accounts that fall to it ? Then the people who pick good passwords get to keep them and the people who pick poor passwords have to come cap in hand to IT and ask for a new one.

Re: Dictionaries

"Then the people who pick good passwords get to keep them and the people who pick poor passwords have to come cap in hand to IT and ask for a new one."

Watch it. An executive probably won't go through that door with a cap but with a replacement, and probably a report of a reduced IT budget and a communique to his friends at other firms black-marking you.

Re: Dictionaries

Executives' passwords are to be remembered by their secretary. Solved. Or, they get a golden key card to insert in the PC instead of a password. And it's the secretary's job to take it out after they go home.

None of this is helped by web sites that insist on having a user account where none should be needed. Those get a password which expresses my view of the site. I live in hope that they store them in plain text (it wouldn't surprise me) and sometimes read them.

Yes! Thank you! I do quite a bit of purchasing at the company I work for and every supplier needs a new user account with a password. What's my username at this site I haven't visited in six months? Did they let me use my email? Was their password minimum 6 characters or minimum 8 characters? Did it need a special character? One of them requires a password that is EXACTLY 14 characters long. Another requires a special character within the first four characters. Just give me the option to check out as a damn guest.

I've lost count of the number of occasions where I've gone to log in to one of those '6 month' sites, failed to get the password right after several attempts, clicked the reset password notification, followed the email to reset the password and then get the message that the password I'm attempting to use doesn't comply with rules X, Y, z, 3, %, and then not had to change the password because I can use that information to figure out the particular arcane combination I used in the first place. Just tell me the arcane rules the first time I got my password wrong, dammit!

Is your browser not set to save passwords? Click in username box and choose the likely single username you've created on the site. Don't care what the password is as the browser remembers. Works pretty much every time. I have no idea what most of my passwords are as they were auto-generated and are recalled without my having to do anything other than be logged in to Chrome.

Never the Director's Fault

It would be easy to point the finger at the Sys-admins, but how many times does this not fall on the correct shoulders? I only make this point from my own battles in the past to get Information Technology Directors to enforce NIST/ ISO 27001 standards. Unfortunately in the commercial sector - if they aren't being forced to adopt a standard, may choose not to "burden" themselves with "unnecessary" complexity which leaves the Corporation Vulnerable.

Until the United States adopts a policy similar to the GPDR, it's next to impossible to hold companies accountable for their own negligence when it comes to information security (Equifax, cough... cough...), and the turd rolls down hill when the fan is engaged.

Password quality is not an absolute

Policies have to be commensurate with risk level, which in turn has to be fairly assessed (we all tend to exaggerate), and one needs to take the whole environment into account not just the individual system.

For instance, the requirements for my El Reg password, where the worst that can happen is that the quality of my comments will improve, and my work laptop disk encryption are not and need not be the same.

Likewise, passwords are not a valid solution across the whole spectrum of risk. There is no point having your 60-rule password complexity and reuse policy to protect an asset once the value of that asset makes it worth it to beat the password, 2FA, etc., out of the password-holder. Or just knock a hole on the wall beside the reinforced door, so to speak.

Re: "Internal cybersecurity audits..."

Re: "Internal cybersecurity audits..."

@JeffyPoooh

I suspect it went something like this:

1) obtain the password hashes (and salts) of say, 10,000 passwords

2) using a common passwords dictionary (easily available from previous research), hash each of those passwords, using their salts, starting with the most commonly used password in your dictionary (e.g. Password123). First pass - 10,000 hashes. If this finds, e.g. 23 matches, then the second entry in the dictionary needs only 9,977 hashes.

3) Once you have eliminated the passwords in the common passwords dictionary, you will have a smaller number of passwords left to crack, e.g. 4,576 of them. You then move onto using a larger dictionary, and making common substitutions, e.g. 1 or ! for i, etc., adding numbers and characters on the end, etc. (e.g. L3monade.1) This is slower, but will get most of the remaining passwords. Each one you crack means fewer hashes for the next dictionary entry.

4) Once you have eliminated all the passwords based on single words, move onto two words, then three, etc. separated by various punctuation, numbers, etc.

5) You will now have a small number of passwords left that are not based on dictionary words (probably in the double digits). If you are still interested in cracking these, then start with the minimum password length (e.g. 8 characters), and run through all the letter/number/character combinations that you haven't previously checked. Each of these you will only have to hash a much smaller number of times.

Eventually, you can crack all of the passwords in the file, salted or not. It is simply a matter if applying enough computing power to it. If you're a researcher, you probably have access to a decent number of processor cycles to do this. If you are a hacker, you are probably using someone else's anyway. A good way to find some for free is to go and check various git repositories for people's AWS keys...

In my experience, user frustration with password complexity rules often happens because they're told only that a password is too weak, and not *why*. Where I work I've watched users fumble for 30 minutes trying to find a password the system would accept. People for whom English is a second language struggle especially hard.

Re: I've always preferred ..

Re: I've always preferred ..

I actually had a user tell me, with a straight face, that they thought their password was safe because it was too obvious for anyone to expect. They'd used "password." Another used their username, but backwards.

Re: If you're having security issues...

Meanwhile our admins have made the password requirements so complex and expire every 30 days that everyone has to write them on a post it note and place it under the keyboard to have half a chance of logging in the next morning

Give users an idea of what a password could be, from the examples they might create a good password they can relate to.

When a user has to think of a password they can remember, they are severely limited by their lack of imagination. Further research might find the worst passwords in the least creative people ? accountants ? bosses ?

Re: Password security check

Re: Password security check

Mtlhrw13

But I've changed it.

What does it mean? (1) Nothing, it's random consonants. (2) It means "Metal harrow 13", which is what I remember. And which in turn doesn't mean anything, although it sounds like it does. I don't use "Metal harrow 13", because it's longer but not really more secure. But, I believe, not less secure.

correct horse battery staple. Length is key imo not complexity. Make it longer but easier to remember rather than shorter and complex helps users and has been the most effective way of killing two issues, users in ability to remember and the use of simple to crack passwords.

We check AD once a month for weak passwords, with just a solid dictionary and 1 day checking its amazing how many so called 'complex' passwords it will get (mostly due to a solid dictionary of real world passwords. Those users are reminded twice before having their account locked and having to answer to their manager. Good policy and backing of the business are key to our progress. In the last two years its dropped from capturing over 60% of the passwords in AD down to around 10%. Still too many but with a high staff turn over and lots of users it'll never be perfect.

Yes basically. Dump out the hashes and then use something like John the Ripper or Cain and Abel on it.

Worryingly its rare I find an AD install where LM hashes are disabled which makes it even easier. It can hit silly numbers of passwords in very short time spans. NT hashes take a bit longer and need some more work.

A brick in the wall

There is more to IT security than passwords. And it seems to me that if a determined hacker has managed to breach ALL the earlier levels of security, then a few puny keystrokes as a the last line of defence won't be much of a deterrence. No matter how long, contrived or frequently changed the password policy requires them to be.

All a computer-level password can be expected to do is to keep out the casual, in-office, user who wants to use someone else's PC to send rude messages to the CEO. While there exist admin-level users with universal access, few hackers would bother trying to brute-force a user password - they would go straight to the root accounts and concentrate on them. Same amount of effort required, far higher gains on a successful breach.

And with the security "wall" that all companies have, there are far more easily exploitable holes than this. The whole "strong password" security theatre is nothing more than that. There are many more pressing security problems that need to be addressed before user's passwords gets to the top of the pile.

Re: A brick in the wall

Yes security is more than just passwords, but passwords are pretty important.

Many places offer some form of remote access secured by ... the account password. And yes such services are regularly probed by password guessers.

As to targeting privileged accounts, I've seen a demonstration of someone escalating from a non-privileged account to domain admin in less than an hour. So no, attackers will quite happily target non-privileged accounts.

It's just a mental trick

Passwords really don't have to be so hard. Most people have heard of concepts like mnemonics and even the memory palace, where highly visual oddities are used to aid memory.

So you need a new Amazon password? Picture a bloody great water snake chowing down on a heavy load of pound coins. Twist the expression of the words. Get: "5nake(<LBs" [You have (< for an yawning mouth with a forked tongue, and LBs for the imperial representation for pounds as a weight. The word formed has quite a striking appearance, especially the caps. You can say it, but an eavesdropper still won't actually be able to type it correctly merely from the sound. You won't forget it, or the association with Amazon.]

Corporate login for your health insurance employer? Picture your thoroughly unpleasant boss plummeting onto a hospital bedpan. Get "91tHI75h1t". You can say it ("git hit shit"), but again, an eavesdropper still won't actually be able to type it correctly merely from the sound. And again: memorable, visual, the word itself quite striking in appearance.

Why is it a good defence? Not a single word suceptible to dictionary attack. Ten characters of mixed case alphasymbonumeric, for a choice of at least 70. A bit under three quintillion possible passwords. The most common entry mistake you commit will be typing a letter for a digit or vice-versa, which you probably won't do three times in succession—so, common errors will rarely lead to lockout.

Allowing The Adversary "magic tech" that could try a million different passwords every second without lockout, it would take nearly 90,000 years to try every single possibility. I'm pretty sure your company's planning horizon doesn't extend beyond a decade (and the Board's doesn't extend beyond next January's bonuses) so you should be just fine.

Take a creative two minutes to dream up your new password, stamp the image in your mind, and away you go. (If all else fails, use mental pictures of things connected with food and sex, which are particularly prone to stick in the mind's eye, for some reason.)

Re: It's just a mental trick

And I routinely deal with people with really, REALLY bad memories. That's why I always counter "correcthorsebatterystaple" with "donkeyenginepapercliprong". Their thought processes get twisted around, leading to incorrect recall. Now multiply that by a few dozen.

Re: It's just a mental trick

You don't need to "counter" and it doesn't need a bad memory ( or recall, which is more to the point) just a loss of self-confidence within the task will do. Anyone trying to remember a list of random objects with no contextual cues is going to either muddle them or panic and be unable to recall them. Someone who doubts their ability to recall the list even more so. At best correct/horse/battery/staple is going to elicit some kind of "was it a staple or was it a needle?" type or response from a large chunk of the population from time to time

Re: It's just a mental trick

But that's exactly what I meant by "counter". Forget remembering the password. How bad is it if you can't remember the mnemonic, such that you need a mnemonic for the mnemonic until it's turtles all the way down? Thus "Was it correcthorsebatterystaple or donkeyenginepaperclipwrong?" All four words with similar but incorrect counterparts (horse-donkey, battery-engine, staple-paperclip, correct-wrong) and in the wrong order. This ain't the Middle Ages when memory was basically your only lifeline and life wasn't as complicated as it was.

Re: Layers...like an onion

clear desk policies as a best practice.

Best practice???

By whose definition? Probably not that of the people doing the work of the place, who like their stuff around them, feel comfortable and work well that way. i.e. real people getting results for the organisation.

Work place has to be a human environment, not a machine environment, for most people. And that means photo of the dog/child/car/spouse, potted cactus, furry toy, and some well thumbed documentation.

Oh, and btw if there's no space for a post-it with the password on the desk they'll probably put it in a wallet or lunch box - or even agree to share one. ( Shouts across the room, "Hey Fred, what's the password this month?")

Re: Layers...like an onion

Best practice??? By whose definition?

Pretty much every infosec pro I've spoken to or worked with. On top of that we also consider passworded screen savers a best practice.

New regulatory issues also drive the adoption of these policies, the newest being GDPR. Of course GDPR does not stipulate clear desk policies but as a security manager one would consider a clear desk policy as a mechanism to reduce the risk of data breaches.

Re: Layers...like an onion

Pretty much every infosec pro I've spoken to or worked with

Probably though not the best policy for Bill in Orders, Freda in marketing or Betty in HR who like and need to work in a human environment with familiar cosy items round them and the paper manual with the stuff they need to type no more than 3 inches away. Ultimately they are the organisation and Infosec are the defences. Yes they have to be responsible, but they also have to be able to do their jobs in an effective and comfortable way. And the organisation has to be able to retain them - which means not putting their backs up too much.

Re: Layers...like an onion

Probably though not the best policy for...

We are not talking about family pictures or drawings by ones kids. We are talking specifically about information that is considered sensitive.

So when you don't need it you lock it away. It is not difficult or complicated. Of course if you approach this like a bull in a china shop you will put peoples backs up. Much like any project that involves people...get the interaction wrong and you will have an uphill struggle. Basic management 101 (or should be). You are right in that regard. I find most reasonable people understand the reasoning if explained properly...not to viewed as a punishment but rather a best practice.

Re: Layers...like an onion

I'm not seeing through this clearly. Clear desk, to the point that there are no post-its or anything else means clear desk.

Tidy desk sounds a laudable aim, but isn't relevant to this discussion.

No secure documentation left on the desk is a dead end in this regard if, a.) they are prepared to keep a written password ( already out of bounds everywhere, but pretty much everywhere does it anyway) or b.) the premises are meant to be secure so what difference does a filing cabinet make...... (And if that's just complacency - it probably is- that's a different issue anyway) or c) they aren't convinced that a written down password (inside their "secure" office) is a problem

And, as I pointed out already, people will still find other, probably worse ways round it. And yes, I have seen a password written on a lunch box in a staff fridge. Everyone else who had an identified lunch box had their own name on it, one person pointed out that theirs was the one with an identifying string, which was their "log in" (his words). And I've heard staff groups discussing what password to use that month. As in them looking at the table and someone suggesting 4icedbuns because there were 4 iced buns left on the plate. Or, slightly better, saying to a colleague/group " my password is..... Just in case I forget." and them sharing/writing down each others' p/w. And no, management won't support IT staff unless it's a really egregious breach - because these are valuable staff who get the organisation's work done.

Ok, from a slightly different angle, how about addressing customer password requirements? I must have over a hundred different passwords, and no single password template would be acceptable at all sites - different lengths, special characters, capitalization, etc. what do you think your customers do? Yeah, simplist things possible, post-it notes, and unencrypted files listing sites, user ID, and password (I really loved the site that required a special character in the user ID). Here’s a trick I’ve seen done: when the site is saved as a ‘favorite’ it is renamed as siteiduseridpassword, so the result would be: abcbank jtom pass123, SHOWN ON THE FAVORITES BAR. Makes life so easy.

Look, please, if you make the decision, the first question you should ask yourself is, does this application really require a password??? I can log into my electricity account, look at how much I owe, and pay the bill. Why do you require a password?? If someone wants to pay my bill, LET THEM. They have my permission! Now, if you have a feature where I can store credit card info, and pay my bill automatically, then require a password just on that feature.

If your site lets me store recipes, keep track of loyalty points, make comments, etc., then give ME the option to opt out of using a password. I have no fear that someone will post a comment on a site like this under my user name. It would gain them nothing, and at worse, I would change my name and then password protect it. If someone is desperate enough to log into my Subway account and steal loyalty points for a free sandwich, then they may do so, and may God bless. And I have no idea why anyone would go into my Kroger account and mess with my shopping list. I’m not going to buy a crate of spam simply because it is on the list.

Maybe if I didn’t have to contend with this I would be more careful with passwords where they really mattered.

I probably could get a job for Heinz breaking into people's online grocery accounts and substituting Heinz products for the other brands. (Customer relationship meddler, probably.) You won't question it if a store delivers Heinz instead of the brand you requested - that happens - until maybe the fourth time. And then you'll assume it's a bug. But it isn't a bug. It's me. Just conveying orders.

Plus, what if they use your "open" accounts to glean information for a social engineering attack to get to your more secure stuff? That's one reason most sites insist on passwords and so on: they don't want the liability, especially if they're under journalistic scrutiny.

Why protect personal data

You need to keep your electricity bill private, otherwise a thief would know exactly when you are at work or on vacation.

The shopping list is enough for a trained eye to tell who you vote for. Political organizations pay good money for knowing your affiliation and for being able to track how it changes over time. You can tell if someone's [wife is] pregnant just by the shopping list.

I can't find a good example for recipes, but someone will find a use for such information.

Using a password manager makes things simple, even the browser's built in "Remember password" provides more protection than no password.

Re: Why protect personal data

Recipes are probably a clue as to cultural background or maybe even ethnicity, since these kinds of things tend to begin with local ingredients and get passed through the generations if they don't stick to regions. Consider: Not too many people not of German background would probably carry a spaetzle recipe. Fewer still that AND a rouladen recipe, etc.

IT will not win any support

This is typical - what we see is a lot of legacy stuff trussed up in a security policy with very little time to review or modernise.

Regardless of the policy, we still cannot expect people to support or follow policy without more education, or a hard lesson in cause and effect, such as being fined under GDPR.

We still have two problems. Information usually goes into a single bucket, and the security of it becomes IT's problem to fix, monitor and enforce. IT security has become more complex, and the company's solution is to put in generic access barriers, and an access policy. We expect that to be propogated to the business to read, understand and follow.

IT is my life, but I appreciate not all people are that way; I too would rather that nurses spent their time nursing.

IT will continue to hurt until better systems exist that can classify information correctly, silo it correctly, then put the correct access requirements in place - taking away that decision from general users.

Sure, content management and correctly marked templates are viable, but I've not seen an organisation, private or public, that fully understands how to use information metadata, let alone how to silo and protect it properly.

How about limiting the number of login attempts?

Surely if there is a limited number of failed logins (say 10 failures and the account is locked) then unless the user has completely stupid passwords like "password" then a dictionary attack won't work. Limiting the number of failures seems to be able to overcome these type of attacks and protects users from themselves.

Any system that allows thousands of failed logins is asking to be hacked - you can't rely on users to have sufficiently complex passwords to resist millions of brute force attacks.

The Only Winning Move is Not to Play

Having gone through a variety of iterations of password policies and security headaches, I have formed the opinion that the problem isn't that there are "good" passwords and "bad" passwords, or "good" password policies" and bad ones. Rather, I have concluded, if the answer is "a username and password", you're probably asking the wrong question. Computers are really good at storing, copying, transmitting and manipulating simple information. Username and password as a means of securing data just isn't appropriate in the present day.

Re: The Only Winning Move is Not to Play

To which the next question would be, "Then what do you use that can work even with CEOs with poor recall, can't be stolen or coerced, and can't be copied or imitated?" If even ONE of those gotchas remains, it WILL be exploited: for the lulz if nothing else.

...Use of @ ! $, etc is frowned upon because of code-page translation difficulties (SecAdmin says "Use 'em if you want, but don't come crying to me if things go wrong!")

...Passwords expire every 30 days

...New password cannot be any of the previous thirteen

...New password cannot feature anything from a long list of prohibited character sequences

...Three tries are you're out. (SecAdmin has to manually reset password to an expired one that I have to change again upon first - successful - retry)

Coming up to my 50th-ish year of working on IBM mainframe systems protected by RACF and I've never once, not ever, had my password cracked or my account hacked, etc., and - to the best of my knowledge - none of the systems I've worked on has suffered any form of exposure either (if they did then *I* never got to hear about it).

Re: What's so difficult?...

"Three tries are you're out."

So what happens when it's am executive that gets locked out, misses closing a deal because of it due to not being able to get critical documents in time, and starts asking, "Who hired these clowns that cost us the deal?"

Re: What's so difficult?...

Three?? With both a username and a password to try and recall. And with several dozen accounts in your life?

It can take two or three goes just to get the right username. And then there are the password choices ("Did I use that one with the battery and staple or whatever they were or is this the one that's my mother's middle name plus my golf handicap and did it have to have a special character....?" With the best will in the world you have to expect most users to need >3 attempts at least once or twice a month at least if they aren't logging in every day.

Passwords LOL

It's a constant battle for any sysadmin - shared accounts, admin passwords never expiring, stale user accounts. When I started with my current employer they had a practice of never deleting old user accounts (in case they wanted to come back), passwords were forced to change *once a year* and half the company was using a variation of the [companyname]123.

It's not until something happens (we got hit with a Ransomeware attack late last year) that the SMT starts paying attention to cyber security, particularly if you aren't an IT-centric company; we are manufacturing, so IT is a support element rather than core to the business. It's been a battle just to get USB device control and web/mail content filtering in place, and for the most part I've had to put it all under the banner of "GDPR compliance" to make any headway.

Unless you have the backing of the SMT and above, or suffer a major security leak, the company just thinks you are being difficult for the sake of it.

The other usability thing that is most often ignored is the ability to get special characters on mobile devices with pop up keyboards. At least 3 extra taps to a get % symbol and back to alpha, not to mention how bloody obvious that can be to someone peering over your shoulder.

Store all your passwords in your wallet...

I use https://www.passwordcard.org/en for (some) of my passwords.

I have an algorithm based on domain name (one letter and number of characters gives me a start point) that lets me work out/replicate where the password starts, which direction it goes (one of the 8 cardinal directions based on TLD) and how long it should be.

Do not need to use on my devices as I have my KeePass db, and don't use for all websites, but does let me access "throwaway" sites with a strong password, and access to my secondary email account which will allow (indirectly) access to primary email (and thence my KeePass backup) when I'm out and about/abroad/etc.

Re: Store all your passwords in your wallet...

Thing is, you can MIS-recall your algorithm, and everything starts going wrong and you can't recall the right method you were using. I routinely have to deal with people with such bad recall they common words, sometimes their own name, yet need online access to reach their appointments, benefits, bills, etc. Makes me worry if their caregiver pops the cogs before them from stress...

If you force people to change their password every 30 days they will simply start creating easy to remember passwords.

We live in an age of passwords and pin numbers. We don't get to create or change them all, but we have to remember them all. And there are a lot of them in our lives.

I can appreciate the desire to keep systems safe, but your's isn't the only password that people have to remember in their lives and increasing the complexity of the password and the frequency of changes will simply result in people choosing simpler combinations, repeating combinations with only minor changes or both.

Re: All you need is a simple script...

Problem is, that first step is often the hardest, as the top brass are often the LEAST likely to approve of ANY security plan, seeing as how they need to get to the crown jewels anytime, without notice (in their perception) in order to keep the business going. They basically can't see it until it hits them directly, by which point it's probably already too late.

Haveibeenpawned and password managers

To solve the problems of bad passwords, I am surprised no one has suggested checking the passwords users submit against haveibeenpawned. At least then you do not have a password that is out there in the wild (and immediately solves the stupid paswords). Such a plugin to AD would help enormously. It could check off line, if it finds a bad password it locks the account and forces a password reset.

Overall, I think the only way forward is a password manager that provides you with a random password checked against such a database for each site. The password manager enforces a strong password that does n't change. All passwords are regularly checked against the havibeenpawned dictionary to ensure it has not been lost by some organisation.

Something like Bitwarden, which can be self hosted if you think that is more secure, is a great option although it does not give all the functionality I'd like at the moment.